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DETAILED ACTION 
Response to Amendment 

1. Applicant's amendment filed 11 May 2007 amends claims 1,4,5,7-10, 12-14, 16, 19, 
20, and 22. Claims 2, 3, 11, 17, 18, and 23-28 have been cancelled. Applicant's amendment has 
been fully considered and entered. 

Response to Arguments 

2. Applicant's argument that Suuronen does not disclose "forward the report information to 
a remote central management system when the report information indicates that the first data 
potentially contains malicious content" has been considered and is persuasive. Therefore, the 
rejection has been withdrawn. However, upon further consideration, a new ground(s) of 
rejection is made in view of Schneier, U.S. Publication No. 2002/0087882. 

Claim Rejections - 35 USC § 102 

3. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(a) the invention was known or used by others in this country, or patented or described in a printed publication in this 
or a foreign country, before the invention thereof by the applicant for a patent. 

(e) the invention was described in (I) an application for patent, published under section 122(b), by another Hied 
in the United States before the invention by the applicant for patent or (2) a patent granted on an application for 
patent by another filed in the United States before the invention by the applicant for patent, except that an 
international application filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application designated the United 
States and was published under Article 2 1(2) of such treaty in the English language. 

4. Claims 1,4, 5, 8-10, 12-14, 16, 19, 20 are rejected under 35 U.S.C. 102(a) and/or 102(e) 
as being anticipated by Schneier, U.S. Publication No. 2002/0087882. Referring to claim 1, 
Schneier discloses a network monitoring system wherein a customer side firewall is configured 
to monitor data traffic through the network for potential unauthorized intrusions ([0035]-[0037]), 
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which meets the limitation of at least one interface configured to receive clala transmitted via a 
network, a firewall configured to; receive data from the at least one interface, determine whether 
the data potentially contains malicious content. Interesting information collected from the 
firewall is sent to an anomaly engine ([0064]), which meets the limitation of identify first data in 
the received data that potentially contains malicious content, intrusion detection logic configured 
to: receive the first data. The anomaly engine determines what information may be worthy of 
additional analysis and sends the information to a resource coordinator for forwarding to a 
remote secure operations center (SOC) ([0064]), which meets the limitations of generate report 
information based on the first data, and forwarding logic configured to: receive the report 
information, forward the report information to a remote central management system when the 
report information indicates that the first data potentially contains malicious content. The SOC 
may inform the network response subsystem of the client side to block certain traffic based on 
the received information ([0068]), which meets the limitation of the report information allowing 
the remote central management system to make a forwarding decision on behalf of the device. 
The anomaly engine receives only the information that cannot be identified by the negative 
filtering (positively identifies traffic as not being malicious) or positive filtering (positively 
identifies traffic as being malicious) ([0064]). The anomaly engine analyzes this received 
information, called "residue", and forwards only interesting information to the SOC ([0064]). 
Meaning that all the "residue" that has not been provided to the SOC has been determined by the 
anomaly detector as being non-malicious traffic and would therefore be allowed, which meets 
the limitation of forward the first data for processing by a user application when the report 
information indicates that the first data does not contain malicious content. 
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Referring to claim 4, Schneier discloses that information transmitted to the SOC is done 
so via a VPN ([0042]), which meets the limitation of a virtual private network gateway 
configured to establish a secure connection with the remote central management system. 

Referring to claim 5, Schneier discloses that the firewall includes anti-virus functionality 
that probes for viruses using signature files ([0037]), which meets the limitation of the firewall 
comprises anti-virus logic configured to examine a data stream for viral signature* using a 
signature-based technique. 

Referring to claims 8, 9, Schneier discloses that the firewall receives filter updates from 
the SOC ([0037]), which meets the limitation of the firewall is configured to receive updated 
rule-based processing information from an external device via the network. 

Referring to claim 10, Schneier discloses a network monitoring system wherein a 
customer side firewall is configured to monitor data traffic through the network for potential 
unauthorized intrusions ([0035]-[0037]), which meets the limitation of receiving data transmitted 
via the network, identifying first data that may contain malicious content. Interesting information 
collected from the firewall is sent to an anomaly engine ([0064]). The anomaly engine 
determines what information may be worthy of additional analysis and sends the information 10 a 
resource coordinator for forwarding to a remote secure operations center (SOC) ([0064]), which 
meets the limitations of generating report information based on the first data, forwarding the 
report information to an external device when the report information indicates that the first data 
potentially contains malicious content. The SOC may inform the network response subsystem of 
the client side to block certain traffic based on the received information ([0068]), which meets 
the limitation of the report information allowing the remote central management system to make 
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a forwarding decision on behalf of the device. The anomaly engine receives only the information 
that cannot be identified by the negative filtering (positively identifies traffic as not being 
malicious) or positive filtering (positively identifies traffic as being malicious) ([0064]). The 
anomaly engine analyzes this received information, called "residue", and forwards only 
interesting information to the SOC ([0064]). Meaning that all the "residue" that has not been 
provided to the SOC has been determined by the anomaly detector as being non-malicious traffic 
and would therefore be allowed, which meets the limitation of forwarding the first data to the 
user device when it is determined that the first data does not contain malicious content. 

Referring to claim 12, Schneier discloses that the anomaly engine determines what 
information may be worthy of additional analysis and sends the information to a resource 
coordinator for forwarding to a remote secure operations center (SOC) ([0064]), The information 
transmitted to the SOC is done so via a VPN ([0042]), which meets the limitation of establishing 
a virtual private network connection to the external device, and wherein the forwarding the 
report information includes forwarding the report information over the virtual private network 
connection. 

Referring to claim 13, Schneier discloses that the SOC may inform the network response 
subsystem of the client side to block certain traffic based on the received information ([0068]), 
which meets the limitation of receiving, from the external device, information indicating whether 
the first data is to be forwarded to the user device, and dropping the first data when the 
information indicates that the first data is not to be forwarded. 
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Referring to claim 14, Schneier discloses that the firewall includes anti -virus 
functionality that probes for viruses using signature files ([0037]), which meets the limitation of 
examining the received data for viruses using a signature-based technique. 

Referring to claim 16, Schneier discloses a network monitoring system wherein a 
customer side firewall is configured to monitor data traffic through the network for potential 
unauthorized intrusions (|0035]-[0037J), which meets the limitation of receive data transmitted 
via a network, determine whether the data may contain malicious content using a first set of 
rules. The firewall receives filter updates from the SOC ([0037]), which meets the limitation of 
receive at least one set of rules from an external device, the at least one set of rules being 
associated with processing the received data. Interesting information collected from the firewall 
is sent to an anomaly engine ([0064]), which meets the limitation of identify first data that may 
contain malicious content based on the determining. The anomaly engine determines what 
information may be worthy of additional analysis and sends the information to a resource 
coordinator for forwarding to a remote secure operations center (SOC) ([0064]), which meets the 
limitations of generate report information based on the first data, forward the report information 
to an external device when the report information indicates that the first data potentially contains 
malicious content. The SOC may inform the network response subsystem of the client side to 
block certain traffic based on the received information ([0068]), which meets the limitation of 
the report information allowing the remote central management system to make a forwarding 
decision on behalf of the processor. The anomaly engine receives only the information that 
cannot be identified by the negative filtering (positively identifies traffic as not being malicious) 
or positive filtering (positively identifies traffic as being malicious) ([0064]). The anomaly 
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engine analyzes this received information, called "residue", and forwards only interesting 
information to the SOC ([0064]). Meaning that all the "residue" that has not been provided to the 
SOC has been detennined by the anomaly detector as being non-malicious traffic and would 
therefore be allowed, which meets the limitation of forward the first data for processing by a user 
application when the report information indicates that the first data does not contain malicious 
content. 

Referring to claim 19, Schneier discloses that the anomaly engine determines what 
in formation may be worthy of additional analysis and sends the information to a resource 
coordinator for forwarding to a remote secure operations center (SOC) ([0064]). The information 
transmitted to the SOC is done so via a VPN ([0042]). which meets the limitation of establish a 
virtual private network tunnel with the external device and send the report information over the 
virtual private network tunnel. 

Referring to claim 20, Schneier discloses that the firewall includes anti-virus 
functionality that probes for viruses using signature files ([0037]), which meets the limitation of 
when identifying first data that may contain malicious content, the instructions cause the 
processor to identify a virus using a signature-based technique. 

Claim Rejections - 35 USC §103 
5. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 
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6. The factual inquiries set forth in Graham v. John Deere Co., 383 U.S. 1, 148 USPQ 459 
(1966), that are applied for establishing a background for determining obviousness under 35 
U.S.C. 103(a) are summarized as follows: 

1 . Determining the scope and contents of the prior art. 

2. Ascertaining the differences between the prior art and the claims at issue. 

3. Resolving the level of ordinary skill in the pertinent art. 

4. Considering objective evidence present in the application indicating obviousness 
or nonobviousness. 

7. Claims 6, 15, 21 are rejected under 35 U.S.C. 103(a) as being unpatentable over Schneier. 
U.S. Publication No. 2002/0087882, in view of Judge, U.S. Patent No. 6,941,467. Referring to 
claims 6, 15, 21, Schneier does not specify that the firewall filters for spam. However, it would 
have been obvious to one of ordinary skill in the art at the time the invention was made to for the 
client-side firewall of Schneier to filter for spam because spam consumes resources that 
negatively impacts productivity as taught by Judge (Col. 4, lines 42-46). 

8. Claims 7, 22 are rejected under 35 U.S.C. 103(a) as being unpatentable over Schneier, 
U.S. Publication No. 2002/0087882, in view of Bates, U.S. Patent No. 6,785,732. Referring to 
claims 7, 22, Schneier does not specify the type of data traffic that is received by the client-side. 
Bates discloses virus checking downloaded music files (Col. 10, lines 29-55). It would have been 
obvious to one of ordinary skill in the art at the time the invention was made for virus-checking 
functionality in scan all types of data traffic, including downloaded music files, because 
computer viruses have emerged as a very real threat to data in today's computer systems, and 
checking files before they are downloaded would help to prevent virus infection as taught by 
Bates (Col. 1, lines 42-62). 

Conclusion 
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9. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Benjamin E. Lanier whose telephone number is 571-272-3805. 
The examiner can normally be reached on M-Th 7:30am-5:00pm, F 7:30am-4pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

In formation regarding the status of an application may be obtained from the Patent 
Application Information Retrieval (PAIR) system. Status information for published applications 
may be obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only. For more information about the PAIR 
system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would 
like assistance from a USPTO Customer Service Representative or access to the automated 
information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




